issue with set_tlsext_ticket_key_cb and set

Discussion:

issue with set_tlsext_ticket_key_cb and set_verify

DEXTER

2014-09-25 11:56:39 UTC

Hi!

I have an openssl server, and I'm using the
SSL_CTX_set_tlsext_ticket_key_cb to set a callback to be able to use
tls tickets.

When the SSL_CTX_set_verify callback is not set, then it works as it should.
But as soon as I set a verify callback (to verify the client cert) I
this error when the client tries to connect:

error:140D9115:SSL
routines:lib(20):SSL_GET_PREV_SESSION:func(217):session id context
uninitialized:reason(277)

Anyone has any idea why this happens?

Thanks.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

DEXTER

2014-09-25 12:51:16 UTC

Permalink

Also checking openssl source (apps/s_server.c) to find out why it
works with plain s_client, s_server, I see this:

static int s_server_session_id_context = 1; /* anything will do */

SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
sizeof s_server_session_id_context);

Can anybody tell me what the hell is this hack? anything will do? &int
converted to void*, when the function itself should get a const
unsigned char*? What?

Post by DEXTER
Hi!
I have an openssl server, and I'm using the
SSL_CTX_set_tlsext_ticket_key_cb to set a callback to be able to use
tls tickets.
When the SSL_CTX_set_verify callback is not set, then it works as it should.
But as soon as I set a verify callback (to verify the client cert) I
error:140D9115:SSL
routines:lib(20):SSL_GET_PREV_SESSION:func(217):session id context
uninitialized:reason(277)
Anyone has any idea why this happens?
Thanks.

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

Viktor Dukhovni

2014-09-26 01:08:34 UTC

Permalink

Post by DEXTER
Also checking openssl source (apps/s_server.c) to find out why it
static int s_server_session_id_context = 1; /* anything will do */
SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
sizeof s_server_session_id_context);
Can anybody tell me what the hell is this hack? anything will do? &int
converted to void*, when the function itself should get a const
unsigned char*? What?

While RTFS is a fine strategy, generally RTFM first:

https://www.openssl.org/docs/ssl/SSL_CTX_set_session_id_context.html

Postfix uses:

static const char server_session_id_context[] = "Postfix/TLS";
SSL_CTX_set_session_id_context(ctx,
(void *) &server_session_id_context,
sizeof(server_session_id_context));

You should use something that identifies your application.

--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

DEXTER

2014-09-26 06:04:48 UTC

Permalink

It's OK that I have to use this function, but what I don't understand is
why do I have to use it? Why do I have to set an arbitrary string? Why
doesn't openssl do this internally so that I don't have to know about an
obscure thing to set to make it work.

Post by Viktor Dukhovni

https://www.openssl.org/docs/ssl/SSL_CTX_set_session_id_context.html
static const char server_session_id_context[] = "Postfix/TLS";
SSL_CTX_set_session_id_context(ctx,
(void *) &server_session_id_context,
sizeof(server_session_id_context));
You should use something that identifies your application.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org